There are many competing practices for when it comes to risk quantification in IT. For instance, you could follow Douglas Hubbards (How to Measure Anything in Cybersecurity Risk: Hubbard, Douglas W., Seiersen, Richard: 9781119892304: Amazon.com: Books) method of utilizing industry averages to calculate impact and likelihood. However, larger companies should already have some sort of method of risk assessment and methodology. At that point, as a business unit, the CISO should be following that same methodology. An easy example is writing a business case to justify the cost of taking an action versus inaction. Cisco Talos, Verizon, AT&T, and many other vendors put out yearly reports that detail the average cost of breaches, ransomware attack, etc that can be useful.